LiteDuke (Malware Family)

SYMBOL	COMMON_NAME	aka. SYNONYMS

win.liteduke (Back to overview)

LiteDuke

Actor(s): APT29

According to CarbonBlack, LiteDuke is a third stage backdoor. It appears to use the same dropper as PolyglotDuke. Its payload makes use of an AES encrypted SQLite database to store its configuration. LiteDuke supports a large number of individual commands including host information retrieval, file upload and download, and the ability to execute other code. LiteDuke C2 servers appear to be compromised servers, and the malware communicates with them using normal HTTP requests. It attempts to use a realistic User-Agent string to blend in better with normal HTTP traffic.
ESET have dubbed it LiteDuke because it uses SQLite to store information such as its configuration.

References

2020-05-18 ⋅ One Night in Norfolk ⋅ Kevin Perlow
Looking Back at LiteDuke
LiteDuke

2020-03-26 ⋅ VMWare Carbon Black ⋅ Scott Knight
The Dukes of Moscow
Cobalt Strike LiteDuke MiniDuke OnionDuke PolyglotDuke PowerDuke

Yara Rules

[TLP:WHITE] win_liteduke_auto (20230407 | Detects win.liteduke.)

rule win_liteduke_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2023-03-28"
        version = "1"
        description = "Detects win.liteduke."
        info = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator v0.6.0"
        signator_config = "callsandjumps;datarefs;binvalue"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.liteduke"
        malpedia_rule_date = "20230328"
        malpedia_hash = "9d2d75cef573c1c2d861f5197df8f563b05a305d"
        malpedia_version = "20230407"
        malpedia_license = "CC BY-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using YARA-Signator.
     * The code and documentation is published here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */


    strings:
        $sequence_0 = { ff75fc ff15???????? 6830750000 ff15???????? ff35???????? e8???????? }
            // n = 6, score = 200
            //   ff75fc               | push                dword ptr [ebp - 4]
            //   ff15????????         |                     
            //   6830750000           | push                0x7530
            //   ff15????????         |                     
            //   ff35????????         |                     
            //   e8????????           |                     

        $sequence_1 = { 8945d0 8b4518 0500010000 c1e002 }
            // n = 4, score = 200
            //   8945d0               | mov                 dword ptr [ebp - 0x30], eax
            //   8b4518               | mov                 eax, dword ptr [ebp + 0x18]
            //   0500010000           | add                 eax, 0x100
            //   c1e002               | shl                 eax, 2

        $sequence_2 = { 56 57 6a40 6800300000 ff750c 6a00 e8???????? }
            // n = 7, score = 200
            //   56                   | push                esi
            //   57                   | push                edi
            //   6a40                 | push                0x40
            //   6800300000           | push                0x3000
            //   ff750c               | push                dword ptr [ebp + 0xc]
            //   6a00                 | push                0
            //   e8????????           |                     

        $sequence_3 = { ff75e4 ff15???????? 837de800 7410 6800800000 6a00 ff75e8 }
            // n = 7, score = 200
            //   ff75e4               | push                dword ptr [ebp - 0x1c]
            //   ff15????????         |                     
            //   837de800             | cmp                 dword ptr [ebp - 0x18], 0
            //   7410                 | je                  0x12
            //   6800800000           | push                0x8000
            //   6a00                 | push                0
            //   ff75e8               | push                dword ptr [ebp - 0x18]

        $sequence_4 = { 6a00 e8???????? 58 ff90b5f3ffff }
            // n = 4, score = 200
            //   6a00                 | push                0
            //   e8????????           |                     
            //   58                   | pop                 eax
            //   ff90b5f3ffff         | call                dword ptr [eax - 0xc4b]

        $sequence_5 = { 55 89e5 ff7508 e8???????? ff7508 e8???????? }
            // n = 6, score = 200
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     
            //   ff7508               | push                dword ptr [ebp + 8]
            //   e8????????           |                     

        $sequence_6 = { c1c006 243f 3c3e 7205 c0e002 2c0e 2c04 }
            // n = 7, score = 200
            //   c1c006               | rol                 eax, 6
            //   243f                 | and                 al, 0x3f
            //   3c3e                 | cmp                 al, 0x3e
            //   7205                 | jb                  7
            //   c0e002               | shl                 al, 2
            //   2c0e                 | sub                 al, 0xe
            //   2c04                 | sub                 al, 4

        $sequence_7 = { 01d8 51 52 55 50 ff15???????? 5a }
            // n = 7, score = 200
            //   01d8                 | add                 eax, ebx
            //   51                   | push                ecx
            //   52                   | push                edx
            //   55                   | push                ebp
            //   50                   | push                eax
            //   ff15????????         |                     
            //   5a                   | pop                 edx

        $sequence_8 = { 8945a0 6a00 6a00 6a00 6a04 ff75a0 ff15???????? }
            // n = 7, score = 200
            //   8945a0               | mov                 dword ptr [ebp - 0x60], eax
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a00                 | push                0
            //   6a04                 | push                4
            //   ff75a0               | push                dword ptr [ebp - 0x60]
            //   ff15????????         |                     

        $sequence_9 = { 8b45f4 8b5df8 c9 c20400 55 89e5 83ec18 }
            // n = 7, score = 200
            //   8b45f4               | mov                 eax, dword ptr [ebp - 0xc]
            //   8b5df8               | mov                 ebx, dword ptr [ebp - 8]
            //   c9                   | leave               
            //   c20400               | ret                 4
            //   55                   | push                ebp
            //   89e5                 | mov                 ebp, esp
            //   83ec18               | sub                 esp, 0x18

    condition:
        7 of them and filesize < 1171456
}

Download all Yara Rules

LiteDuke Propose Change

References

Yara Rules

LiteDuke